Thursday, January 26, 2006

Kama Sutra Worm Malware Attack Due February 3

Security Experts Warn of Kama Sutra Worm
To address what is so far the most expansive malware attack in 2006, speculation among security vendors and researchers has focused on the destructive nature of the worm. Unlike most viruses currently in the wild, the Kama Sutra code is not intended to reap the code writer a windfall of ill-gotten gains.

Security analysts are warning computer users about a new and potentially destructive Internet worm that can obliterate important documents. The worm, called Kama Sutra, is making the rounds now, but is scheduled to execute its first massive attack on February 3.

Detected last week, the malicious worm targets computers running Windows and spreads primarily by copying itself to shared network locations and then sending itself to e-mail addresses found on afflicted computers. With subject lines that read "the best videoclip ever," "give me a kiss," and "school girl fantasies gone bad," the worm entices computer users to open the attached file.

"This worm feeds on people's willingness to receive salacious content on their desktop computer, but they could be putting their entire company's data at risk," said Graham Cluley, senior technology consultant at Sophos.

According to Sophos, on the third of each month, the worm will attempt to disable existing antivirus and firewall software and also will delete specific files, such as Microsoft Office documents.

Waxing or Waning Threat
The worm -- also known as Blackworm, Nyxem-D, and W32.Blackmail.E, among others -- was said by Sophos to be the most frequently sighted e-mail worm last week. Sophos statistics indicate that, within the last 24 hours alone, the worm has accounted for some 23 percent of all virus reports.

There are disagreements in the security industry about the severity of the worm, with Symantec and F-Secure taking different positions on the issue. Controversy stems from interpreting one of the worm's most intriguing features: a Web counter. Once the worm infects a new computer, it accesses a Web page on which there is a counter. The counter number increases whenever the Web page is accessed.

Andrew Jaquith, a Yankee Group senior analyst, said that most reports indicate that the counter had risen already to 700,000, which could indicate that nearly a million computers are infected.

Much of the speculation in the industry about the potential for damage done by the Kama Sutra worm centers on the counter number -- which might represent unique machines or accesses to the counter page by the same machine more than once. One of the things that is "sorely lacking" with mass outbreak malware like the Kama Sutra worm, Jaquith said, is any real sense of how many machines are compromised.

"We still don't know, for example, how many machines were really affected by the WMF vulnerability," he explained. "The antivirus vendors don't seem to know either, or are unwilling to divulge much -- possibly because it would expose gaps in their signature coverage."

Back to Old-School
To address what is so far the most expansive malware attack in 2006, speculation among security vendors and researchers has focused on the destructive nature of the worm. Unlike most viruses currently in the wild, the Kama Sutra code is not intended to reap the code writer a windfall of ill-gotten gains. The hacker designed the worm to create mayhem by destroying documents.

"The reason why experts at Sophos believe the worm is likely to have been written by an old-school hacker rather than an organized criminal is its destructive payload," Cluley explained. "That kind of destructive behavior is not typical of financially motivated worms because the damage is too obvious to the end user."

Frost & Sullivan analyst Rob Ayoub said he is not convinced that the worm represents the work of an old-school hacker. This worm is something that the industry has not seen in about a year. "This is just something we haven't seen in a while. It's not a botnet or a zombie. It's a throwback to malware that only seeks to create havoc."

ActiveX Controls
Of greater concern, said Ayoub, is the worm's ability to deceive Windows into receiving a malicious ActiveX control by providing a phony digital signature. Discovered originally by Fortinet, the worm apparently adds some 18 entries to the Windows Registry, allowing it to insert an ActiveX control that can circumvent Windows' defense mechanisms.

The development is interesting, Ayoub said, because, heretofore, the assumption has been that if a piece of software has a digital signature, then it is safe. Ayoub said Microsoft will need to take a serious look at digital-signature technologies.

"In the past, it has always been if the company signs it, then it must be authentic," Ayoub said. "Microsoft needs to look at the digital signing process or else we will see more things like this and that is pretty dangerous because that gets around some of the safeguards that are supposed to keep these things out."

Analysts are urging computer users, especially home users, to make sure that they have up-to-date antivirus software installed on their machines. "There should be no excuse for any data being lost on February 3 by this worm, but there is always the danger that some home users will not have heard that warning," Cluley said.